The ISO/IEC 27001 audit process explained
Learn more about the ISO standard audit process, which is crucial to achieving ISO certification, below.
Getting started with ISO/IEC 27001 audits
Gaining and maintaining certification for your ISO/IEC 27001 Information Security Management (ISMS) system is not a one-off event. It’s a series of connected audits and reviews designed to ensure your organisation and Management System remain compliant with the relevant ISO standard.
Once your ISMS is developed and implemented, it must be audited to achieve initial certification. This process follows the same principles applied across all ISO Management Systems.
All audits are based on the principle of verifying that your organisation is actually doing what it says in your documented Management System and confirming compliance with the ISO standard.
ISO/IEC 27001 audit cycle
Initial ISO/IEC 27001 certification audit
The initial ISO/IEC 27001 audit determines whether your organisation qualifies for certification. Also known as an external audit, a third party audit or a registration audit, it is conducted by a Certification Body (CB) that appoints an Auditor or possibly a team of Auditors, depending on the size of your organisation, the number of sites and the scope and complexity of your Management System.
It’s essential that the Certification Body is UKAS accredited to ensure recognised and credible certification.
The Initial Audit is typically split into two stages, with an optional pre-assessment available.
PRE-ASSESSMENT (OPTIONAL)
Some certification bodies, including ISOQAR, offer a pre-assessment. This informal review acts like a “dry run”, helping identify your strengths, weaknesses and gaps before the formal audit. It provides valuable insight to improve readiness for Stage 1.
Stage 1 ISO/IEC 27001 audit
Also called the Document Review, Document Audit or Readiness Review, the Stage 1 audit evaluates whether your ISMS is . ready for the more comprehensive Stage 2 ISO/IEC 27001 Audit.
When to perform Stage 1
After your ISMS is developed and implemented, once you have generated evidence of its effectiveness, such as Internal Audits, Management Reviews, and documented records for the Auditor to examine.
Duration
The length of the audit is determined by a formula set by UKAS. Factors such as the size of your organisation, risk and complexity are taken into account. It is measured in whole days. For most small or medium businesses, the Stage 1 Audit will be completed on-site within two days, while Stage 2 is usually longer.
Location
If you have more than one site, it will usually be conducted at your head office. Being on-site allows the Auditor to get an impression of the organisation and the site. However audits can also be done remotely depending on the complexity of the Management System and other considerations..
What happens during Stage 1
This stage is largely a document-focused reconnaissance The Auditor reviews your ISMS documentation, scope, objectives, policies, procedures, and may have preliminary discussions with employees. The goal is to assess readiness and plan Stage 2.
The key objectives of Stage 1 are:
- Review ISMS documentation and supporting records
- Walk the site to plan Stage 2
- Understand company operations, key processes, and equipment
- Confirm statutory and regulatory requirements are documented
- Assess readiness of personnel for Stage 2
- Evaluate status of Internal Audits and Management Reviews
- Plan Stage 2 Audit scope, dates, and sites
Optional but recommended reviews:
- Internal audit processes
- Management review effectiveness
- Senior management commitment
- Complaints handling
- Purchasing and procurement
- Objectives and targets
What happens after Stage 1
You will receive verbal feedback from the Auditor at the end of the Audit, followed by a written report within five days. While Stage 1 does not result in nonconformities, Improvement Requests may be issued. These should be addressed before Stage 2 to avoid issues affecting certification.
Top Tip: Use Stage 1 to openly discuss challenges. While the Auditor cannot develop your ISMS for you, they can provide insight based on experience with other organisations.
Your written report will include:
- Assessment of your ISO/IEC 27001 Information Security Management System and determination of your readiness for a Stage 2 Audit
- Assessment of your understanding of the requirements of the standard
- Agreement of the scope of your ISO/IEC 27001 Information Security Management System and Scope of Certification
- Plan for the Stage 2 Audit and agreement on the date(s) and sites
- Improvement Requests and areas for potential improvement of the Management System
Stage 2 ISO/IEC 27001 audit
The Stage 2 ISO/IEC 27001 audit is the final assessment before certification. It normally takes place on-site, and is longer and more in-depth than Stage 1.
Purpose
To determine if your ISMS is fully compliant with the ISO/IEC 27001 standard and whether certification should be awarded.
Timing
The Stage 2 Audit is usually performed 6-8 weeks after Stage 1. Normally, your system should have been running for at least three months – ideally longer – and after any Stage 1 Improvement Requests have been addressed. Stage 1 and Stage 2 Audits should be performed no more than six months apart, otherwise the Stage 1 Audit may have to be repeated.
Duration
As with the Stage 1 Audit, the length of the audit is determined by the formula set by UKAS, and will be calculated before the Stage 1 Audit takes place. In exceptional cases, depending on the findings of the Stage 1 Audit, the length of the Stage 2 Audit may be adjusted but you will be told this in advance.
Location
A Stage 2 Audit is usually conducted on-site at your head office and across a sample of sites However, audits may be done remotely due to exceptional circumstances. If you have multiple sites, the sites to be audited will be agreed at the Stage 1 Audit. The Certification Body uses the ‘square root’ rule to determine how many sites will be audited on the Stage 2 Audit. So, for example, if you have 25 sites in the scope of your certification, then at least five should be audited in an Initial Audit. This is a rule used by all UKAS-accredited Certification Bodies.
What happens in the Stage 2 Audit?
- Opening meeting to outline audit scope
- Review and closure of Stage 1 Improvement Requests
- Inspection of documentation for ISO/IEC 27001 compliance
- Assessment of ISMS effectiveness against organisational objectives
- Audit of operational processes, policies, and procedures
- Evaluation of Internal Audits, Management Reviews, preventive and corrective actions
- Review of key performance objectives and targets
What happens after the Stage 2 Audit?
At the end of the audit, the Auditor will hold a closing meeting with you to review and discuss any nonconformities and potential corrective action. At the meeting, you will be told whether you have been recommended for ISO/IEC 27001 certification or not.
You will also receive a written report after the meeting which will include observations made by the Auditor and a summary of the findings. The report will identify minor nonconformities, major nonconformities and opportunities for improvement.
- Major nonconformities – A total breakdown of a system meaning you fail to meet a requirement of the standard. A number of minor nonconformities against one requirement can represent a total breakdown of the Management System and thus be considered a major nonconformity. Major nonconformities must be rectified before certification can be recommended by the Auditor. This may involve a further site visit by the Auditor.
- Minor nonconformities – May be either a failure or a single observed lapse in some part of the management system. Minor nonconformities do not affect the recommendation for approval but must be addressed prior to the issue of your certificate.
- Opportunities for Improvement (OFI) – These relate to existing conditions which, according to the Auditor, may warrant clarification or investigation so as to improve the overall status and effectiveness of the Management System. They do not affect the recommendation for certification
If there are any nonconformities – whether they are minor or major – you will not receive certification until corrective action has been taken. You will normally be allowed up to three months to do this.
Failure to be recommended for ISO/IEC 27001 certification on the day does not necessarily mean that the Auditor will have to visit and audit you again. You will probably just need to provide evidence that you have taken corrective action.
Annual surveillance ISO/IEC 27001 audits
One of the main objectives of ISO/IEC 27001 Information Security Management System is to ensure continual improvement. The principle of Plan–Do–Check–Act, supported by regular audits and reviews underpins this commitment and ensures your ISMS remains effective and resilient.
Annual Surveillance Audits are a major component of this continual improvement cycle. They are a mandatory requirement to maintain your UKAS-accredited ISO/IEC 27001 certification.
Timing
Typically, your organisation will undergo an Annual Surveillance Audit at the end of Year 1 and Year 2 of their certification cycle. The first audit is normally scheduled slightly before the end of the first year with ISOQAR. This ensures that the audit cycle aligns correctly and leaves enough time for your Recertification Audit to take place before the end of Year 3.
This timing matters: if any nonconformities are identified late in Year 3, you need adequate time to address them before your certificate expires.
Larger or more complex organisations sometimes choose to spread their surveillance activities throughout the year. The schedule can be agreed with the Auditor.
Duration
As with other audits in the cycle, how much time is dedicated to an Annual Surveillance Audit is determined by the formula set by UKAS. It is normally shorter than a Stage 2 ISO/IEC 27001 Audit.
Location
The Annual Surveillance Audit is usually conducted on-site, however audits may be done remotely in exceptional circumstances. If you have multiple sites, then your head office will always be audited plus different sites than those chosen for the Initial ISO/IEC 27001 Certification Audit. Different sites will be selected for the second Annual Surveillance Audit and Recertification Audit, although the head office will be included on every audit.
What happens in the Annual Surveillance Audit?
The Auditor will follow a similar approach to the Stage 2 Audit, although the scope is narrower and targeted towards areas of risk and performance.
The focus is influenced by previous audit findings – especially any weaknesses or nonconformities identified earlier. The following will be assessed as a minimum:
- Nonconformities and corrective actions from previous audits
- The maintenance, maturity and performance of your ISMSThe effectiveness of Internal Audits
- Management Review outcomes
- Preventative and corrective actions
- Any updates to documentation
The second Annual Surveillance Audit will typically explore different processes or departments in your organisation to ensure full ISMS coverage across the three-year period.
What happens after the Annual Surveillance Audit?
At the end of the audit, the Auditor will present their findings and later provide a written report detailing any nonconformities.
If any major nonconformities are raised, you will have up to three months to implement corrective action and provide evidence. Failure to do so may result in suspension or could mean that your certificate will be withdrawn.
For minor nonconformities, the Auditor will agree a management plan with you. Depending on the risk and severity, they may be closed through follow-up evidence, at the next surveillance audit, or in some cases via an additional visit.
Recertification ISO/IEC 27001 audit
Your ISO/IEC 27001 certificate remains valid for three years from the date of issue. In order to maintain your certification you must undergo a Recertification Audit in the third year. This audit is more comprehensive than the surveillance audits and is similar to the original Stage 2 Audit.
Timing
It is advisable to schedule your Recertification Audit at least three months before the end of Year 3. This not only ensures you avoid any break in your certification, but also allows you to take corrective action on any nonconformities (either minor or major) identified in the audit before your certification expires.
Duration
A Recertification Audit typically takes about two-thirds the time required for your Initial Audit.
Location
The Recertification Audit is usually conducted on-site. If you have multiple sites, it will always include your head office plus sites not included in your Initial Audit and Surveillance Audits.Audits may be done remotely due to exceptional circumstances.
What happens in the Recertification Audit?
The Recertification Audit provides a complete assessment of your ISMS and its ongoing suitability.
This includes:
- Review of nonconformities and areas for improvement from earlier audits
- Evaluation of the overall effectiveness of your ISMS
- Confirmation that the scope of your certification remains accurate and relevant
- Audit of operational processes to ensure effective control and adherence to policies
- Review of Internal Audits and Management Review processes
- Assessment of preventive and corrective actions
- Examination of key performance objectives, targets and continual improvement
What happens after the Recertification Audit?
As with the Stage 2 Audit, there will be a closing meeting and a comprehensive written report delivered to you.
Any nonconformities identified by the Auditor must be addressed before the third anniversary of the date your certificate was issued. If you fail to do this, then your certificate may be withdrawn.
Assuming everything goes well and once all requirements are met, you will be issued with a new ISO/IEC 27001 certificate, and the three year cycle begins again.